Machine Learning – Taking Your Security Team to the Next Level

By: Raj Samani, Head of Strategic Intelligence, McAfee LLC

Machine learning is all around us, enriching our online lives every day. We see it with our own eyes when search engines accurately predict what we’re looking for after we type only a few letters. We feel it protecting our bank accounts evaluating credit card transactions for signs of fraud. We notice it in selections of articles and ads in online newspapers. We no longer think twice about these conveniences; in fact, it’s hard to imagine online life without machine learning.

In relation to cybersecurity, machine learning has been changing the game as a means of managing the massive amounts of data within corporate environments. However, machine learning lacks the innately human ability to creatively solve problems and intellectually analyse events. It has been said time and again that people are a company’s greatest asset. Machine learning makes security teams better, and vice versa. Human-machine teams deliver the best of both worlds.

The dark web is driven by intelligent bad actors who are often financially motivated to create new threats with new attack techniques. Security becomes personal when considering the people behind the attacks, making the human-machine team the best sustaining defence. CSOs empower security operations to blend the best elements of art and science, where security team employees provide creative responses and leverage machine learning to provide high-performance scientific responses. While machine learning can detect patterns hidden in the data at rapid speeds, the less obvious value of machine learning is providing enough automation to allow humans the time and focus to initiate creative responses when responses are less obvious. By using a filter for optimization across the best advantages of human and machine elements, it’s easier to evaluate the relationship between them.

Machine learning adds critical capability to security strategies

The process of security researchers analysing malware to develop signatures is still important, but only as a capability to address the large volume of known malware because it cannot be expected to evolve quickly enough to meet the rapid pace of malware being introduced to the wild. Machine learning becomes the fastest way to identify new attacks and to push that information out to endpoint security platforms. The key differentiator in incorporating machine learning into endpoint security is the amount of relevant data consumed by the algorithms.

User experience is optimized – Machine-learning algorithms feed information to the endpoint about file attributes that indicate the presence of malware. These attributes may be related to type, size and source, as well as header anomalies and detected sequences of operating system calls. A quick scan before execution allows security to perform its preliminary triage without souring the user experience.

Suspicious behaviour flagged automatically – Once the program is running, machine learning on the endpoint monitors behaviour for signs of an attack. This runtime detection is keyed by information on attack tactics again uncovered by machine-learning analysis of malware samples in the datacentre. While pre-execution checks file attributes to make a malware decision, runtime execution requires knowledge of specific actions attackers are likely to use. For example, ransomware can render your files useless in less than a minute. Machine-learning analysis of ransomware attacks may uncover timing and access patterns of file shares that would indicate an attack is underway – allowing endpoint security to stop the threat before all files are encrypted.

Highly valuable investigation and response data available automatically – Helping security teams respond to an incident, machine learning can identify suspicious connects and create alerts based on equations. In this case, security analysts need precise information on the threat such as files touched, registry changes, server connections, etc. Because machine learning looks across multiple dimensions, much of the data that incident response teams require is already available, but has traditionally required extensive manual correlation. Ideally, highly valuable investigation and response data would be available through the already-present endpoint management console. The presence of machine-learning technology results in significant time savings – by a factor of 10 is not uncommon – that can help security teams keep the business running

Elevate security teams with machine learning

People matter the most, but combining human intelligence with machine-learning technology creates strong security teams. The visibility into tactics throughout the entire attack chain that machine learning affords is critical to enhancing the relationship between security teams and technology. Machine learning enables security teams to devise new defences quickly to adapt to attackers’ automated processes and make it more difficult for them to be effective. Remember, machine learning places the time sequence of activity observed between security products. With machine-learning assistance, security teams have greater insight into who the attacker is, the methods being used, where the attacks are coming from and how they are spreading, as well as which security measures are working and which are being defeated.

Most importantly, the presentation of machine-learning results enables people in security teams to do what they do best – create intelligent, innovative and effective solutions to new threats before significant damage is done to the business. If people are the company’s greatest assets, then machine learning helps make them even greater.

To close, machine learning should be a critical component of an enterprise’s endpoint security strategy. Given the volume and evolution of attacks hammering away at endpoints, security must be able to adapt without human intervention, and must provide the visibility and focus to enable humans to make more informed decisions. Machine learning has come of age with big data driving accuracy up and false positives down. The proof of successful human and technology teaming will be seen in the ability to rapidly dismiss alerts and accelerate solutions to thwart new threats. Your users deserve the best that cybersecurity has to offer, and today the best endpoint security products leverage machine learning.